Samy Worm

Samy Kamkar's story can be read here. It is a summarizes a timeline of the events of an XSS worm released on myspace. This worm would automatically add Samy as a friend and put him on the top of your "My Heros" list.

Myspace blocked script tags and the regular on* and href tags and so the starting point was:

<div style="background:url('javascript:alert(1)')">

The word javascript was stripped, but breaking it up with a newline caused it bypass the filer.

Since both single and double quotes are used up in getting the the javascript inserted, there isn't anyway to write an exploit. Any quote used in the malicious javascript would escape it's insertion point.